Techdirt. Stories filed under "spyware"Easily digestible tech news...https://www.techdirt.com/
en-usTechdirt. Stories filed under "spyware"https://ii.techdirt.com/s/t/i/td-88x31.gifhttps://www.techdirt.com/Fri, 3 Jun 2016 15:42:27 PDTStudy Shows Lenovo, Other OEM Bloatware Still Poses Huge Security RiskKarl Bodehttps://www.techdirt.com/articles/20160602/15152934609/study-shows-lenovo-other-oem-bloatware-still-poses-huge-security-risk.shtml
https://www.techdirt.com/articles/20160602/15152934609/study-shows-lenovo-other-oem-bloatware-still-poses-huge-security-risk.shtmlearly last year, the company was busted for installing Superfish adware that opened all of its customers up to dangerous man-in-the-middle attacks, then tried to claim they didn't see what all the fuss was about. Not too long after that, the company was busted for using a BiOS trick to reinstall its bloatware on consumer laptops upon reboot -- even if the user had installed a fresh copy of the OS.

Now Lenovo and its bloatware are making headlines once again, with the news that the company's "Accelerator Application" software makes customers vulnerable to hackers. The application is supposed to make the company's other bloatware, software, and pre-loaded tools run more quickly, but Lenovo was forced to issue a security advisory urging customers to uninstall it because it -- you guessed it -- opened them up to man-in-the-middle attacks.

"Updaters are an obvious target for a network attacker, this is a no-brainer. There have been plenty of attacks published against updaters and package management tools in the past, so we can expect OEM’s to learn from this, right?
Spoiler: we broke all of them (some worse than others). Every single vendor had at least one vulnerability that could allow for a man-in-the-middle (MITM) attacker to execute arbitrary code as SYSTEM. We’d like to pat ourselves on the back for all the great bugs we found, but the reality is, it’s far too easy."

And again, to be clear, Lenovo wasn't alone in being incompetent here. In fact, the firm tried to find any vendor whose bloatware didn't pose a security risk, and they couldn't actually do so:

Here's a novel idea: if OEMs can't actually learn from past mistakes and secure their bloatware, how about they do us all a favor and stop installing such crapware in the first place?

Permalink | Comments | Email This Story
]]>history-repeats-itself-history-repeats-itselfhttps://www.techdirt.com/comment_rss.php?sid=20160602/15152934609Thu, 21 Apr 2016 10:39:30 PDTGuy Argues That Anti-Ad Blocker Systems Violate EU Privacy LawsMike Masnickhttps://www.techdirt.com/articles/20160421/07271134233/guy-argues-that-anti-ad-blocker-systems-violate-eu-privacy-laws.shtml
https://www.techdirt.com/articles/20160421/07271134233/guy-argues-that-anti-ad-blocker-systems-violate-eu-privacy-laws.shtmlridiculous it is that many news sites (including Wired and Forbes -- and apparently, now, the NY Times) have started using annoying anti-ad blocker software, in which it will block visitors from viewing their content if those sites detect (or think they detect) that you're using an ad blocker. This is ridiculous on any number of levels, but most of all because it is forcing people to put their computers at risk. Plenty of people have tried explaining to publishers that this practice is a bad idea, but to no avail.

However, over in Europe, one privacy activist thinks he may have found another path. Alexander Hanff wrote to the EU Commission with his reasoning, claiming that anti-ad blockers are a form of spyware that illegally violate the EU's ePrivacy Directive by not getting consent. As you may have noticed, not too long ago, when you started visiting EU-based websites, it would always inform you of its policy on storing cookies, and requesting that you "accept" the site's policy. This was because of a new electronic privacy directive, that some have called the Cookie Law. However, as Hanff notes, it's quite possible that using an ad-blocker detector script is basically doing the same sort of thing as a cookie in terms of spying on client-side information within one's web browser, and a letter he received from the EU Commission apparently confirms his assertion.

It's unclear from the excerpt of the letter that he's posted if it's quite as slamdunk a case as he's indicated, but it certainly is an interesting read of the law. Either way, Hanff has made it clear that he's going to use this "opinion" from the EU Commission to go after a ton of websites using anti-ad block systems:

This is huge, I am about to launch legal complaints across multiple EU member states & now have formal @EU_Commission opinion to support

Of course, from the sound of things, if Hanff is correct in his analysis, this could make things trickier for EU sites that want to use anti-ad-block software, as they'd have to first get users' consent, and give them some level of control (possibly allowing them to just bypass the ad blocker check entirely). There are all sorts of reasons why the war on ad blocking is a bad idea, but here's one more possibility, especially for EU sites.

Permalink | Comments | Email This Story
]]>well, that's a twisthttps://www.techdirt.com/comment_rss.php?sid=20160421/07271134233Thu, 5 Nov 2015 10:39:54 PSTSouth Korea Shoots The (Smart) Sheriff; Pull Support For Mandated, Severely Flawed Cellphone Spyware AppTim Cushinghttps://www.techdirt.com/articles/20151103/15160532707/south-korea-shoots-smart-sheriff-pull-support-mandated-severely-flawed-cellphone-spyware-app.shtml
https://www.techdirt.com/articles/20151103/15160532707/south-korea-shoots-smart-sheriff-pull-support-mandated-severely-flawed-cellphone-spyware-app.shtml
The South Korean government's strong suggestion parents should install spyware in their kids' phones resulted in the the official blessing of Smart Sheriff -- a program that hoovered up communications and data and sent it all back to the MOIBA mothership with a minimum of security. Citizen Lab security researchers found numerous flaws in the spy app, ranging from the unencrypted transmission (and storage) of data to the circumvention of HTTPS protections in order to check sites against blacklists.

Moon Hyun-seok, a senior official at the Korea Communications Commission, told The Associated Press that "Smart Sheriff" has been removed from the Play store, Google's software marketplace, and that existing users are being asked to switch to other programs.

The government plans to shut down the service to existing users "as soon as possible," he said.

A second audit of the Smart Sheriff application reveals that there are numerous unresolved security vulnerabilities that put minor children and parental users of the application at serious risk.

MOIBA, the Korean industry consortium responsible for the Smart Sheriff application, has been slow to respond to the issues raised (of which it was notified more than 90 days ago); the fixes that have been applied do not adequately or effectively address the issues, especially for users; and MOIBA has not communicated transparently to the public about Smart Sheriff’s known risks.

Citizen Lab recommended the removal of the spy app from the market, with its recommendation arriving only a day ahead of the South Korean government's official announcement. The researchers still consider the app to be highly-exploitable, thanks to MOIBA's half-assed patch job. At this point -- with the app still in wide use -- the only thing not leaking information is MOIBA's PR team.

MOIBA claims to have addressed the issues raised by Citizen Lab, but researchers point out most of the "solutions" were cosmetic. The underlying vulnerabilities remain.

Overall, while some changes have been made in response to the initial disclosure made by Citizen Lab to MOIBA, attackers still have most of the same opportunities to exploit vulnerabilities in the application as they did in previous versions. Many of the issues that were marked as high priority in the previous report, such as the lack of protections around sensitive private data, and transport security, remain effectively unaddressed.

That the government has made the move to kill the app and repeal its support is a positive step, but it's one that took place at several terrible decisions. Mandating spyware for phone users is already a problem, no matter the intent behind it. If parents want to spy on their kids' phone use, it should be up to the parents, not the government. That the government threw its weight behind an app whose developers couldn't even be bothered to implement halfway decent security measures until after researchers discovered the holes makes this even worse.

Permalink | Comments | Email This Story
]]>will-just-need-to-find-better-spyware-to-mandatehttps://www.techdirt.com/comment_rss.php?sid=20151103/15160532707Tue, 22 Sep 2015 09:43:34 PDTGovernment-Mandated Parental Spyware Found To Be Leaking Personal Data At An Alarming RateTim Cushinghttps://www.techdirt.com/articles/20150920/20420432310/government-mandated-parental-spyware-found-to-be-leaking-personal-data-alarming-rate.shtml
https://www.techdirt.com/articles/20150920/20420432310/government-mandated-parental-spyware-found-to-be-leaking-personal-data-alarming-rate.shtml
A few months ago, the South Korean government strongly suggested parents load their children's cell phones up with government-approved spyware. It recommended an app called "Smart Sheriff." The app provided plenty of reassurance for parents, if said parents were willing to let the government look over their children's shoulder while they browsed the web, chatted about kid/teen things or otherwise engaged with their devices.

It also claimed to block porn, alert parents to budding sexuality and otherwise ensure no amount of phone use was left unreported. And, if South Korean parents somehow felt the government might be overstepping its bounds a bit, cell phone providers were obliged to hassle parents about underuse of the government-approved spy app.

Now, it appears that everything the mandated spyware grabs, it also leaks in one form or another. Citizen Lab (the same entity that sniffed out the connection between malware provider Hacking Team and blacklisted governments) has audited Smart Sheriff and has found its security measures to be mostly terrible. Not only does the recommended app not protect the transmission of personal data, but it doesn't even live up to the government's own standards for data and information security.

We identified twenty-six vulnerabilities and design issues that could lead to the compromise of user accounts, disclosure of information, and corruption of infrastructure. The same issues were often present in multiple parts of the application and infrastructure. For example, we identified a potential attack against user accounts via the Smart Sheriff mobile application, then determined that it could also be made against the Web-based parental administration site. These multiple flaws suggest that the application was not fully examined for security issues before being released. Both audits were done in a limited window of time and without access to the original source code.

Smart Sheriff loads up on personal data during registration, demanding the phone numbers of both children and parents, along with the child's gender and date of birth. The information keeps flowing while in use, gathering data on apps installed and used, as well as browsing history. Then it transmits all of this information (some of it in plaintext) back to its storage, which is unencrypted. (This makes a certain sort of sense, considering the transmission of data is similarly unencrypted. Why lock it down in storage if you can't be bothered to arrange for its safe travel?)

What comes through as plaintext is the user's browser history. Visited sites are matched against a blocklist. (Strangely, no sites are actually blocked, as this function raised concerns about user privacy. But it still gathers the data, sends it in plaintext and stores it in unencrypted form. So these privacy concerns are sabotaged just as soon as they're addressed.) In order to match sites against its blocklist, the software edges around HTTPS protections to match the user to the site visited.

Beyond that, the software's authentication process can be decrypted by reverse engineering or decompiling the app. There's layer upon layer of inadequate security that adds up to a total catastrophe should anyone manage to make their way through any number of easily-prised doors.

The primary mechanism for authentication across the Smart Sheriff service is a device identifier that is derived using reversible obfuscation rather than industry-standard encryption. If an attacker is able to guess, enumerate, or intercept the device identifier of a phone with Smart Sheriff installed, the attacker can impersonate the application and undertake a range of attacks.

For example, using only the device identifier, an attacker can impersonate a user and request the parents’ phone number, children’s names, and their dates of birth. Moreover, an attacker can use the Smart Sheriff API to request a parent’s administration code (itself an insecure four-character string) and use it to take control of the account.

Basically, the app is good enough for government work, as the saying goes. The government desires its public to have more control over the actions of their children. This, in turn, allows the government to have more control over the parents. The "do something" do-goodery we see in our own legislators is echoed here. In response, a "good enough" solution is mandated, even if it's not actually good enough. No one in charge of these mandates seems to care too much about the security flaws and gaping holes -- not even the company that made the app.

After our disclosure, MOIBA released an update to Smart Sheriff (v1.7.6) that includes communication over HTTPS. However this version does not properly validate the credentials received and appears to accept a self-signed certificate, which minimizes the update’s effectiveness.

As Citizen Lab points out, the software does too much and too little, simultaneously, gathering the worst aspects of both. It fails to meet government guidelines on information security while going much further with surveillance and control than the government has actually mandated. The worst part of it is that the government has mandated use of the software, which gives citizens no option but to place its children's privacy in the hands of an entity that clearly has no respect for it. On top of that, it makes parental monitoring of children's cell phone use the new normal, which only makes it easier for the government to make further related demands down the road.

Permalink | Comments | Email This Story
]]>dysfunctional-by-designhttps://www.techdirt.com/comment_rss.php?sid=20150920/20420432310Thu, 28 May 2015 08:16:52 PDTCompany That Lets Parents Spy On Their Kids' Computer Usage... Has Database Hacked And LeakedMike Masnickhttps://www.techdirt.com/articles/20150522/12444731087/company-that-lets-parents-spy-their-kids-computer-usage-has-database-hacked-leaked.shtml
https://www.techdirt.com/articles/20150522/12444731087/company-that-lets-parents-spy-their-kids-computer-usage-has-database-hacked-leaked.shtmlshared around the darkweb. And it exposed not just customer names but "countless emails, text messages, payment and location data" of those children and employees that the company was supposedly making "safe" and "efficient."

“There is no data of 400,000 of our customers on the web,” a spokeswoman for the company told the BBC. “We believe to have become a victim of a predatory attack, aimed to take advantage of our estimated commercial achievements.”

"Much to our regret, we must inform you that data leakage has actually taken place," spokeswoman Amelie Ross told BBC News.

"However, the scope and format of the aforesaid information is way too exaggerated."

She said that 80,000 customers had been affected. Initial reports suggested up to 400,000 customer details had been exposed.

"Naturally, we have communicated with our customers whose data could have been stolen, and described them a situation. We put in place all the necessary remedial measures and continue to work on mechanism of data encryption," she added.

We'll see. If history is any guide, the hack may be even worse. In almost every story of a big hack into corporate computer systems, the initial estimate on the number of accounts impacted is too low, and adjusted upward at a later date.

Either way, it appears that in the process of trying to make children "safe" -- the company may have ended up doing the exact opposite.

Permalink | Comments | Email This Story
]]>after-denying-it-allhttps://www.techdirt.com/comment_rss.php?sid=20150522/12444731087Mon, 18 May 2015 05:43:58 PDTSouth Korea's New Law Mandates Installation Of Government-Approved Spyware On Teens' SmartphonesTim Cushinghttps://www.techdirt.com/articles/20150516/14302631031/south-koreas-new-law-mandates-installation-government-approved-spyware-teens-smartphones.shtml
https://www.techdirt.com/articles/20150516/14302631031/south-koreas-new-law-mandates-installation-government-approved-spyware-teens-smartphones.shtml
Considering the extent of its (most web-related) censorship efforts, South Korea must consider itself fortunate to be next-door neighbors with North Korea. Any time another censorship effort arrives, all the government has to say is, "Hey, at least we're not as bad as…" while pointing its index fingers in an upward/roughly northerly direction.

It blocks sites and web pages with gusto, subverting its own technological superiority by acting as a Puritanical parental figure. Not that it helps. Every time the government ropes off one area, citizens carve out another. Four years ago, it attempted to pass a law making government-approved computer security software installation mandatory, supposedly in hopes of heading up the enlistment of citizens' computers into botnet armies.

The app, "Smart Sheriff," was funded by the South Korean government primarily to block access to pornography and other offensive content online. But its features go well beyond that.

Smart Sheriff and at least 14 other apps allow parents to monitor how long their kids use their smartphones, how many times they use apps and which websites they visit. Some send a child's location data to parents and issue an alert when a child searches keywords such as "suicide," ''pregnancy" and "bully" or receives messages with those words.

Last month, South Korea's Korea Communications Commission, which has sweeping powers covering the telecommunications industry, required telecoms companies and parents to ensure Smart Sheriff or one of the other monitoring apps is installed when anyone aged 18 years or under gets a new smartphone. The measure doesn't apply to old smartphones but most schools sent out letters to parents encouraging them to install the software anyway.

Other trigger terms seem to do nothing more than give parents a reason to lock their kids up until they're old enough to move out:

Girl I like, boy I like, dating, boyfriend, girlfriend, breakup…

This new mandate is obviously creating a chilling effect. Some have noted the Smart Sheriff app may give government agencies access to minors' communications, all under the pretense of helping parents out. Nearly 80% of South Korean schoolchildren (teens and elementary students) own smartphones. That's a whole lot of communications potentially being delivered to law enforcement and intelligence agencies (if not also to schools and service providers).

As a result, smartphones are now no longer viewed as essential equipment by teenagers.

To get around the regulations, some students say they will wait until they turn 19 to get a new phone.

"I'd rather not buy a phone," said Paik Hyunsuk, 17. "It's violation of students' privacy and oppressing freedom."

Open Net Korea, which has tracked South Korean censorship efforts for years, has a translation of the law's stipulations, which not only requires installation of government-approved spyware apps, but also stipulates cell phone providers actively hassle parents who don't seem to be taking the mandated monitoring seriously.

(1) According to Article 32-7(1) of the Act, a telecommunication business operator entering into a contract on telecommunications service with a juvenile under the Juvenile Protection Act must provide means to block the juvenile’s access to the media products harmful to juveniles under the Juvenile Protection Act and the illegal obscene information under Article 44-7(1)1 of the ICNA (“Information harmful to juveniles”) through the telecommunication service on the juvenile’s mobile communications device such as a software blocking information harmful to juveniles.

(2) Procedures prescribed below must be followed when providing the blocking means under (1):

At the point of signing the contract: a. Notification to the juvenile and his/her legal representative regarding types and features of the blocking means; and b. Check on the installation of the blocking means.

After closing the contract:

Monthly notification to the legal representative if the blocking means was deleted or had not been operated for more than 15 days.

So, not only is it censorware and spyware, but it's also apparently nagware -- with telecom reps calling or emailing every month to remind parents to perform their duties as proxy surveillance operatives for the South Korean government.

Permalink | Comments | Email This Story
]]>please spy on our behalf, thx!https://www.techdirt.com/comment_rss.php?sid=20150516/14302631031Thu, 23 Apr 2015 16:05:00 PDTAttorney Representing Whistleblowing Cops Claims Police Department Dropped Spyware On His Hard DriveTim Cushinghttps://www.techdirt.com/articles/20150418/07205030709/attorney-representing-whistleblowing-cops-claims-police-department-dropped-spyware-his-hard-drive.shtml
https://www.techdirt.com/articles/20150418/07205030709/attorney-representing-whistleblowing-cops-claims-police-department-dropped-spyware-his-hard-drive.shtml
This news is infuriating if true. And its chance of being true are pretty high, considering how little cops having the whistle blown on them care for those blowing the whistle. In this case, police officials didn't just stonewall a court order to produce records. They also allegedly dropped backdoors and keyloggers onto the plaintiff's hard drive.

An Arkansas lawyer representing current and former police officers in a contentious whistle-blower lawsuit is crying foul after finding three distinct pieces of malware on an external hard drive supplied by police department officials.

In response to a discovery request, the Fort Smith Police Department was ordered to turn over numerous items, including Word documents, PDFs and emails. Attorney Matt Campbell provided an external hard drive to the PD. When it was returned to him, it contained some of what he requested, along with three pieces of software he definitely didn't request.

In a subfolder titled D:\Bales Court Order, a computer security consultant for Campbell allegedly found three well-known trojans, including:

Win32:Zbot-AVH[Trj], a password logger and backdoor NSIS:Downloader-CC[Trj], a program that connects to attacker-controlled servers and downloads and installs additional programs, and Two instances of Win32Cycbot-NF[Trj], a backdoor

The police department claims it has no idea how these ended up on Campbell's hard drive. It maintains its innocence despite acknowledging its computers have anti-virus software installed that should have prevented these from ending up on its drives, much less being copied to an external drive. Campbell isn't buying these proclamations. In an affidavit submitted to the court, he alleges the PD added these trojans to take control of his computer and intercept his passwords and communications.

Campbell's first attempt to have this apparent breach investigated went nowhere.

Last September, Arkansas State Police officials declined Campbell's request that the agency's criminal investigation division probe how the hard drive sent to Campbell came to be booby-trapped. "The allegations submitted for review appear to be limited to misdemeanor violations which do not rise to a threshold for assigning a case to the CID Special Investigations Unit," the commander of the CID wrote in a September 29 letter declining the request.

So, even though CID stands for "Criminal Investigation Division" and a misdemeanor is, in fact, a criminal offense, the Arkansas State Police decided that it couldn't be bothered to examine an incident that could have resulted in breaches of attorney-client privilege. "Don't bother us until it's a felony, " is the message being sent here. Even if the CID had no interest in dealing with small-time (but not really, considering the implications) misdemeanors, it could have at least referred Campbell to authorities who would be interested in pursuing this. But it didn't -- which either means it had no interest in anyone pursuing this further or knew no other entity would be interested in pursuing an investigation of the Ft. Smith PD.

Perhaps the latter is more likely. Campbell took his complaint to the district's prosecuting attorney and met similar non-results. The district attorney's office claimed it didn't have the resources to pursue this, suggesting that its limited resources will only be used to investigate those outside of the law enforcement sphere.

So, Campbell has asked the judge to hold the department in contempt of court and impose sanctions. Not only did the PD apparently drop malware on Campbell's drive, but it also skirted many of the discovery order's stipulations.

Defendants have failed to properly answer discovery requests in compliance with this Court's Order, to wit:

a. Defendants have engaged in intentional spoliation of evidence by deleting entire email accounts without allowing Plaintiffs to search the emails;

b. Defendants have engaged in ongoing, intentional spoliation of evidence by failing to preserve and provide deleted emails that, by their own admissions, were recoverable;

c. Defendants have relied upon past AFOIA responses in answering Plaintiffs' discovery requests, resulting in Defendants providing emails that have improper redactions; and

The affidavit goes into greater detail on all of these accusations. One of the most egregious abuses alleged is the apparently intentional deletion of the entire content of a PD official's email account.

After receiving Defendants' responses to Plaintiffs' requests, Plaintiffs reviewed the produced documents and noted that few, if any, emails from most of the Defendants had been produced, aside from what had been previously produced in response to AFOIA requests. Accordingly, Plaintiffs' counsel arranged with Defendants' counsel to meet at the FSPD with Mr. Matlock, and that meeting was scheduled for August 5, 2014.

[...]

As this Court may recall, Defendants cancelled this scheduled meeting on August 1, 2014, via email to Plaintiffs' counsel. Plaintiffs' counsel contacted this Court on August 4, 2014, in an effort to have the August 5 meeting date honored. Defendants' counsel responded on that same date, contending that there was nothing untoward or suspicious about the last-minute rescheduling and that Court intervention into the matter was not needed.

Except there was something suspicious about this last-minute rescheduling.

The meeting between Plaintiffs, Defendants, and Mr. Matlock was rescheduled for August 28, 2014. On August 5, 2014, however, Maj. Chris Boyd, Sr., retired from the FSPD. On August 28, when Plaintiffs' counsel asked Mr. Matlock to pull up Maj. Boyd's email account, Defendant Jarrard Copeland immediately asked Mr. Matlock whether Boyd still had an email account, to which Mr. Matlock replied that he did not. Mr. Matlock further informed Plaintiffs' counsel that the emails had been deleted. When pressed on this issue, Mr. Matlock confirmed that they were deleted after Maj. Boyd's retirement on August 5, 2014.

On top of that, Mr. Matlock was still telling other cops he would to be in town during the day he told the plaintiffs he wouldn't be available (August 5), according to emails obtained by Campbell. Then, suddenly, he was completely unavailable.

That this was intentional spoliation is bolstered by the fact that, as late as 6:10 PM on August 4, 2014, Mr. Matlock was planning on being at the SPD 'by lunch' on August 5, 2015, and was communicating with other officers about doing specific tasks on the afternoon of August 5…

It was not until 9:06 AM on August 5, 2014 - the date originally scheduled for the meeting and four days after Defendants had cancelled the meeting that Mr. Matlock informed anyone that he was taking that entire day off as a 'discretionary day.' And it was not until on or about August 19, 2014, when Plaintiffs' counsel requested Mr. Matlock's payroll record for the period covering August 5, that the SPD Payroll Department was actually informed that Mr. Matlock had taken a discretionary day two weeks prior. Interestingly, this is the only discretionary day that Mr. Matlock has taken in the last three-plus years.

Given the amount of obstruction and non-compliance alleged in this affidavit, it's really not that surprising that someone -- with or without approval from superiors -- loaded tainted software onto Campbell's hard drive. Sure, there's a case to be made for stupidity rather than malice, but with the other obfuscation detailed in Campbell's affidavit, the scale is definitely leaning towards the latter.

Hopefully, the court will examine these accusations closely, considering no other entity that could hold the PD responsible for its alleged misconduct seems willing to move forward with an investigation.

Permalink | Comments | Email This Story
]]>RAT.EXEhttps://www.techdirt.com/comment_rss.php?sid=20150418/07205030709Tue, 21 Apr 2015 15:40:00 PDTDEA Also Spending Millions To Purchase Exploits And SpywareTim Cushinghttps://www.techdirt.com/articles/20150417/16160930703/dea-also-spending-millions-to-purchase-exploits-spyware.shtml
https://www.techdirt.com/articles/20150417/16160930703/dea-also-spending-millions-to-purchase-exploits-spyware.shtml
As more information leaks out into the public domain, the only difference between the NSA and the DEA seems to be the selection of letters in their acronyms. Both are now known for their bulk domestic collections and both are known for being involved in neverending wars. Now, thanks to Privacy International and Vice's Motherboard, both are known for purchasing weaponized software.

The Drug Enforcement Administration has been buying spyware produced by the controversial Italian surveillance tech company Hacking Team since 2012, Motherboard has learned.

The software, known as Remote Control System or “RCS,” is capable of intercepting phone calls, texts, and social media messages, and can surreptitiously turn on a user’s webcam and microphone as well as collect passwords.

The DEA originally placed an order for the software in August of 2012, according to both public records and sources with knowledge of the deal.

The problem with the DEA's purchase and deployment of this malware is that tools normally used to engage in the protection of national security -- by military and intelligence agencies -- are being handed out to US law enforcement without the slightest concern for the Fourth Amendment or privacy implications. There's a level of intrusion present here that's never been examined by the courts. Not that the DEA would ever allow details on Hacking Team's products to ever enter a courtroom in the first place. Hacking Team's spy products are one of many secret law enforcement capabilities -- something that must never be spoken of in public forums.

The capabilities detailed here far surpass anything that could be obtained with a search warrant or court order. The DEA's phone metadata collection may still fall under the Third Party Doctrine, but it's hard to believe anything obtained via the hijacking of cameras, computers and phones would be signed off on by magistrate judges.

There is unclear statutory authority authorising the deployment of spyware by US federal or law enforcement agencies, meaning that deployment of the RCS by the DEA or the Army is potentially unlawful under US law. Furthermore, because RCS is designed to be usable against targets even while they are outside of the end-user's legal jurisdiction, it raises serious legal questions concerning the ability of US agencies and the military to target individuals based outside of the United States.

Hacking Team has confirmed that their product has since 1st January 2015 been subject to export restrictions from the Italian government, which is the first step in ensuring that these types of technologies are not exported and used for human rights violations. This means that the Italian export authority now has to assess and approve any export of Hacking Team's products in order for a sale to go ahead.

How the Italian government now assesses any potential exports is unclear. Although EU export control regulations stipulate that in circumstances where an export is going to a military end-user the licensing authority should look at a set of criteria which contain human clauses, in practice this rule is implemented disparately across the European Union member states.

Much like many weapons are subject to export restrictions, so are certain kinds of software. Hacking Team's offerings have been sold all over the world -- and not just to the "good guys." PI says it has evidence this software has been sold to governments known for human rights abuses and has been deployed to surveil journalists and activists.

This may lead to Hacking Team spending some time discussing its product line with Italian regulators -- which could result in additional sales and export restrictions. Or this may just lead Hacking Team to find a new home -- somewhere its offerings won't be eyeballed too closely.

It seems to be leaving its location options open, just in case. In the US, it does business under the name of Cicom USA -- supposedly just a "reseller" of Hacking Team's product line.

The connection between Cicom USA and Hacking Team was confirmed to Motherboard by multiple sources with knowledge of the deal, who spoke on condition of anonymity because they were not authorized to discuss the content of the contract…

Cicom USA is based in Annapolis, MD, at the same exact address where Hacking Team’s US office is located, according to the company’s website. The phone number for Cicom USA listed in the contract with the DEA, moreover, is exactly the same one that was displayed on Hacking Team’s website until February of this year.

A few dozen empty offices around the world acting as "local distributors" could assist Hacking Team in dodging local import/export regulations.

The DEA's use of Hacking Team's product line deserves closer examination. The capabilities detailed here have yet to be uncovered in criminal prosecutions, suggesting the agency is still heavily engaged in legally dubious parallel construction.

Permalink | Comments | Email This Story
]]>all-up-in-your-everythinghttps://www.techdirt.com/comment_rss.php?sid=20150417/16160930703Mon, 30 Mar 2015 03:47:00 PDTSpyware-For-Business Company Thinks Concerns About 'Medical Bills' Are Indicators Of An 'Insider Threat'Tim Cushinghttps://www.techdirt.com/articles/20150320/09414830385/spyware-for-business-company-thinks-concerns-about-medical-bills-are-indicators-insider-threat.shtml
https://www.techdirt.com/articles/20150320/09414830385/spyware-for-business-company-thinks-concerns-about-medical-bills-are-indicators-insider-threat.shtml
It's no secret that many companies monitor their employees' computer use. But things are going much further than simply ensuring the normal "don'ts" -- file sharing, porn viewing, etc. -- are tracked for disciplinary reasons. Companies are now on the lookout for the next "insider threat." Some companies are viewing the Snowden saga as the ultimate cautionary tale, albeit one that results in more surveillance rather than less. (via Dealbreaker)

Guarding against such risks is an expanding niche in the security industry, with at least 20 companies marketing software tools for tracking and analyzing employee behavior. “The bad guys helped us,” says Idan Tendler, the founder and chief executive officer of Fortscale Security in San Francisco. “It started with Snowden, and people said, ‘Wow, if that happened in the NSA, it could happen to us.’ ”

But the effort to find -- and prevent -- the next "insider threat" from damaging his or her company seems to be just as misguided as the government's efforts to do the same. Looking for potential threats often results in viewing almost everything as an indicator of future treachery.

One company cited "changes in email habits" as being indicative of an "insider threat." Others, like Stroz Friedberg, aren't as selective. The company, started by former FBI agent Edward Stroz, veers into the same dangerous territory the government does when rooting out "threats." In its hands, normal activities are viewed with suspicion by its monitoring software.

The software establishes a base line and then scans for variations that may signal that an employee presents a growing risk to the company. Red flags could include a spike in references to financial stresses such as “late rent” and “medical bills.”

And what better way to tackle "late rent" or "medical bills" than suddenly finding yourself unemployed simply because re-purposed FBI analytic software thinks any small sign of (possibly temporary) financial instability indicates your next move will be to steal something. Millions of people in the US deal with these realities frequently -- especially the latter. And yet, millions of employees still find other ways to tackle these problems instead of dipping their hands in the tills or running off with sensitive documents.

Stroz's software also thinks -- like the government -- that an unhappy employee is a malicious employee.

He offers the scenario of a star trader at a bank who’s disappointed with the size of her annual bonus. Instead of being blindsided when she defects to a rival, a bank using Scout could identify her discontent early and make sure she doesn’t take sensitive data or other team members with her.

Or, the company could try to work with the employee rather than just secretly track her until her eventual exit. Once again, unhappy employees leave companies all the time without taking anything with them. Sure, a few do, but the deployment of software like this will generally produce more false positives (and a further strain work relationships) than insider threats. And there's nothing like firing people for something they haven't done (but might!) to endear a company to its remaining employees.

Despite all of this, Edward Stroz believes his company's predictive employee policing software is just another way for companies to show their employees how much their staff means to them.

He’s still careful when discussing the software, describing it as a way to help employers build a “caring workplace.”

Oh, it's anything but. While employees will often accept monitoring of their internet/computer usage as being a necessary part of the employee-employer relationship, they're not going to be happy to find out that searching for information about medical bills might see them lose a source of income. And they're definitely not going to be thrilled to learn that expressing displeasure about company practices and policies may result in the same thing. If a company wants to foster a "caring workplace," it should be addressing employee discontent, not monitoring it. But what do you expect from companies -- and the entities that provide them with spyware -- that view the Snowden leaks as justifying increased surveillance?

Oh, and employees had better believe their file sharing use will be actively monitored (and used against them). Stroz Friedberg may be making enterprise pre-crime software now, but its past as an RIAA lobbying firm (and its slightly-later past as a Six Strikes "independent expert") has been well-noted.

Permalink | Comments | Email This Story
]]>terminated-for-googling-'student-loans'https://www.techdirt.com/comment_rss.php?sid=20150320/09414830385Thu, 19 Feb 2015 14:30:36 PSTThis Week In 'The NSA Knows F**king Everything': How It Hacked Most Hard Drives And SIM CardsMike Masnickhttps://www.techdirt.com/articles/20150219/14140330073/this-week-nsa-knows-fking-everything-how-it-hacked-most-hard-drives-sim-cards.shtml
https://www.techdirt.com/articles/20150219/14140330073/this-week-nsa-knows-fking-everything-how-it-hacked-most-hard-drives-sim-cards.shtmleverything. First up: your hard drives. Earlier this week, Kaspersky Lab revealed that the NSA (likely) has figured out ways to hide its own spyware deep in pretty much any hard drive made by the most popular hard drive manufacturers: Western Digital, Seagate and Toshiba.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the U.S. agency responsible for gathering electronic intelligence.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the spy agency valued these espionage programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

As the report notes, it appears that this is a kind of "sleeper" software, that is buried inside tons of hard drives, but only "turned on" when necessary. The report notes that it's unclear as to how the NSA was getting this software in there, but that it couldn't do it without knowing the source code of the hard drive firmware -- information that is not easily accessible. A few of the hard drive manufacturers have denied working with the government on this and/or giving them access to the firmware. It's possible they're lying/misleading -- but it's also possible that the NSA figured out other ways to get that information.

And that brings us to door number two: your mobile phone's SIM card. Today, the Intercept revealed (via the Ed Snowden documents) how the NSA and GCHQ were basically able to hack into the world's largest manufacturer of mobile phone SIM cards in order to swipe encryption keys, so that your friendly neighborhood intelligence snooper can snoop on you too:

The company targeted by the intelligence agencies, Gemalto, is a multinational firm incorporated in the Netherlands that makes the chips used in mobile phones and next-generation credit cards. Among its clients are AT&T, T-Mobile, Verizon, Sprint and some 450 wireless network providers around the world. The company operates in 85 countries and has more than 40 manufacturing facilities. One of its three global headquarters is in Austin, Texas and it has a large factory in Pennsylvania.

In all, Gemalto produces some 2 billion SIM cards a year. Its motto is “Security to be Free.”

With these stolen encryption keys, intelligence agencies can monitor mobile communications without seeking or receiving approval from telecom companies and foreign governments. Possessing the keys also sidesteps the need to get a warrant or a wiretap, while leaving no trace on the wireless provider’s network that the communications were intercepted. Bulk key theft additionally enables the intelligence agencies to unlock any previously encrypted communications they had already intercepted, but did not yet have the ability to decrypt.

The details of just how the NSA hacked into Gemalto are quite a story -- and proves what a load of crap it is when the NSA and its defenders insist that they only target bad people. As former NSA (and CIA) boss Michael Hayden recently admitted, they actually like to spy on "interesting people." And who could be more interesting than the people who have access to the encryption keys on billions of mobile phones?

So, yeah, the NSA and GCHQ basically spied on IT folks at the company until they found a way in. So, the NSA spies on "bad guys" and "IT people" for the good guys. Because, I'm sure they'll claim, it helps them get the bad guys. We've seen this before, when the GCHQ hacked into Belgian telco giant Belgacom, allowing them to tap into communications at the EU Parliament. Hacking into various companies appears to be standard operating procedures for the NSA/GCHQ these days, with no thought to the collateral damage being caused.

And, yes, both of these hacks basically involve giving the NSA an astounding amount of access to our electronic devices:

Leading privacy advocates and security experts say that the theft of encryption keys from major wireless network providers is tantamount to a thief obtaining the master ring of a building superintendent who holds the keys to every apartment. “Once you have the keys, decrypting traffic is trivial,” says Christopher Soghoian, the principal technologist for the American Civil Liberties Union. “The news of this key theft will send a shock wave through the security community.”

[....]

The U.S. and British intelligence agencies pulled off the encryption key heist in great stealth, giving them the ability to intercept and decrypt communications without alerting the wireless network provider, the foreign government or the individual user that they have been targeted. “Gaining access to a database of keys is pretty much game over for cellular encryption,” says Matthew Green, a cryptography specialist at the Johns Hopkins Information Security Institute. The massive key theft is “bad news for phone security. Really bad news.”

Between both of these big stories this week, it's clear that the NSA is basically deeply buried in pretty much every bit of electronic equipment these days, with the tools ready to go to spy on just about anything. The idea that this power isn't being abused regularly is pretty laughable.

Permalink | Comments | Email This Story
]]>call it a twofer...https://www.techdirt.com/comment_rss.php?sid=20150219/14140330073Fri, 30 Jan 2015 01:04:00 PSTChinese Newspaper And Citizens Find Spyware Purchase Orders On Dozens Of Police And Local Government Web SitesGlyn Moodyhttps://www.techdirt.com/articles/20150113/09580629683/chinese-newspaper-citizens-find-spyware-purchase-orders-dozens-police-local-government-web-sites.shtml
https://www.techdirt.com/articles/20150113/09580629683/chinese-newspaper-citizens-find-spyware-purchase-orders-dozens-police-local-government-web-sites.shtml
It is hardly news that the Chinese authorities spy on their citizens, but a story in Global Voices adds a couple of fascinating twists to the story. The Beijing Times newspaper discovered that a district police department's Web site had a purchase order for surveillance software:

Beijing Times found the purchase order on the website of the Wenzhou district police department, took a screen capture of the order, and posted it on social media with a brief explanation of its origins. The purchase order includes two items: software for injecting trojans onto mobile phones, and a trojan for spying on mobile phone conversations, text messages, and image messages on Android and for jail breaking an iPhone. The first item cost RMB 100,000 yuan (approximately US $16,000) and the second item costed RMB 4,900 yuan (approximately US $800).

The fact that the purchase order for such a sensitive item was uploaded to the police site seems odd -- perhaps surveillance software is now so run-of-the-mill and pervasive that the police no longer regard its use as controversial. The other interesting aspect of this story is that Beijing Times was digging around on the police Web site in the first place, and that having found something rather interesting, decided to publish it, rather than discreetly forget about it. Even better, this rather bold action inspired others to get digging for similar purchase orders. Remarkably, they found some, including this:

a software tool that collects messages from overseas social media including Twitter, Facebook and Google plus. Authorities in Taian city purchased data collection software and content posting software intended to help “counter public opinion” on nine major social media platforms, both in China and overseas.

Again, no real surprises there, but it's good to have more detailed information about who's using which surveillance tool, and for what purpose.

Permalink | Comments | Email This Story
]]>investigating-the-investigatorshttps://www.techdirt.com/comment_rss.php?sid=20150113/09580629683Thu, 23 Oct 2014 06:06:58 PDTWoman Faces Criminal Wiretapping Charges For Deploying Spyware On Her Husband's PhoneTim Cushinghttps://www.techdirt.com/articles/20141022/10401628909/woman-faces-criminal-wiretapping-charges-deploying-spyware-her-husbands-phone.shtml
https://www.techdirt.com/articles/20141022/10401628909/woman-faces-criminal-wiretapping-charges-deploying-spyware-her-husbands-phone.shtml
A woman deploys spyware on her soon-to-be ex-husband's phone, an act that is probably more common than anyone wants to admit, but one that rarely results in criminal charges. In this case, however, her husband happened to be employed by the Pacific Grove (CA) Police Department. If not for that simple fact, would there have been an investigation, much less charges brought? This story deals with multiple layers of official privilege -- the extra attention those labeled "law enforcement" receive as victims of criminal activity, as well as the extra access law enforcement officers have, and how easily it can be abused.

Kristin Nyunt was charged by information* today with two counts of illegal wiretapping and the possession of illegal interception devices, announced United States Attorney Melinda Haag and FBI Special Agent in Charge David J. Johnson.

According to the information, from 2010 to 2012, Nyunt, 40, most recently of Monterey Calif., is alleged to have intercepted communications, including sensitive law enforcement communications, by means that included “spy software” that the defendant secretly installed on the mobile phone of a police officer. The information also alleges that during the same period she illegally possessed interception devices, namely spy software including Mobistealth, StealthGenie, and mSpy, knowing that the design of those products renders them primarily useful for the purpose of the surreptitious interception of wire, oral, and electronic communications.

According to the San Francisco Gate, Nyunt tapped a specific target with this spyware (including the spyware law enforcement loves to hate: StealthGenie): her (now) ex-husband. This is the sort of thing one expects to be more frequent, considering the ease of use and the ubiquitousness of cell phones. Estranged wife spies on spouse. (Or vice versa.)

A former Pacific Grove police commander has pleaded guilty to charges that he steered a possible crime victim to his private investigation firm, then merely pretended to look into her case after accepting $10,000, authorities said Wednesday.

John Nyunt, 51, admitted Tuesday in U.S. District Court in San Jose that he hadn’t investigated the woman’s complaint that she was the victim of electronic surveillance and stalking after referring her to his private firm.

Nyunt also promised the woman a security force comprised of off-duty officer and told another officer to not follow up on her complaint but instead forward any information given directly to him. Despite having all the tools to do the job, Nyunt did nothing.

That Kristin wouldn't trust her husband isn't surprising. Untrustworthy people find it very hard to trust others. Kristin didn't use her illegal access to the law enforcement database to help the Nyunts' fledgling, completely illegal private investigation firm get off the ground. No, she used it to commit identity theft. When she wasn't pretending to be a cop so she could pretend to be someone else, she was stealing paintings and collectors coins from people's homes.

The mobile spyware is the tip of the iceberg. The irony that law enforcement would love to have this much access to everyone's cell phone isn't exactly lost in this situation. But it is very muted. The bigger story here is that the spyware charges are the final detail of a long, sordid narrative where everything trust-related that could be abused WAS abused. A cop uses his extra access privileges to run a home business. He shares the wealth and his wife steals peoples' identities and physical belongings. Along the way, the cop/private dick screws customers and tries to kill his wife. In the end, they'll both be serving time, but it took more than two straight years of access without accountability before investigators brought it to a halt. And it took Nyunt's being a cop to even get investigators to look twice at his wife's use of mobile spyware.

Permalink | Comments | Email This Story
]]>more-to-this-story-than-the-headlinehttps://www.techdirt.com/comment_rss.php?sid=20141022/10401628909Tue, 7 Oct 2014 10:12:00 PDTIs Adobe's Ebook Reader Spying On What You Read -- And What You Have On Your Computer?Glyn Moodyhttps://www.techdirt.com/articles/20141007/08030128752/is-adobes-ebook-reader-spying-what-you-read-what-you-have-your-computer.shtml
https://www.techdirt.com/articles/20141007/08030128752/is-adobes-ebook-reader-spying-what-you-read-what-you-have-your-computer.shtml
Ebooks have many advantages, but as Techdirt has reported in the past, there are dangers too, particularly in a world of devices routinely connected to the Net. Back in 2010, we wrote about how Amazon was remotely uploading information about the user notes and highlights you took on your Kindle. More recently, we reported on how a school was using electronic versions of textbooks to spy on students as they read them. Against that background, you would have thought by now that companies would be sensitive to these kinds of issues. But if Nate Hoffelder is right, there's a big privacy problem with Adobe's Digital Editions 4, its free ebook reading app. Here's what Hoffelder writes on his blog, The Digital Reader:

Adobe is tracking users in the app and uploading the data to their servers. (Adobe was contacted in advance of publication, but declined to respond.)

Specifically:

Adobe is gathering data on the ebooks that have been opened, which pages were read, and in what order. All of this data, including the title, publisher, and other metadata for the book is being sent to Adobe’s server in clear text.

Yes, not only is the app spying on you, but it is sending personal information unencrypted over the Net. And it seems that this is not just about the ebook you are currently reading:

Adobe isn't just tracking what users are doing in DE4; this app was also scanning my computer, gathering the metadata from all of the ebooks sitting on my hard disk, and uploading that data to Adobe’s servers.

These are all serious accusations, and completely unacceptable if confirmed. At the very least, an independent investigation by Ars Technica has now confirmed all of the important details, though Adobe has still stayed silent. However, this also highlights why many people prefer to use pirated editions without DRM, which can be read on any suitable software: not because they're free, but because they're better products in just about every way -- for example, in respecting your privacy.

Permalink | Comments | Email This Story
]]>and-sending-your-data-in-cleartext-too?https://www.techdirt.com/comment_rss.php?sid=20141007/08030128752Mon, 6 Oct 2014 12:26:00 PDTLaw Enforcement Still Defending ComputerCOP: Says They'll Keep Distributing It Until After Someone's Been HurtMike Masnickhttps://www.techdirt.com/articles/20141003/17202128724/law-enforcement-still-defending-computercop-says-theyll-keep-distributing-it-until-after-someones-been-hurt.shtml
https://www.techdirt.com/articles/20141003/17202128724/law-enforcement-still-defending-computercop-says-theyll-keep-distributing-it-until-after-someones-been-hurt.shtmlComputerCOP spyware simply can't admit that they were handing out software that made kids less safe. Instead, they're sticking by their decision to do so. Given that the company personalized the software in the name of local law enforcement, and pitched it as the "perfect election and fundraising tool," you can understand their reticence to actually admit that they've been making kids a hell of a lot less safe. We already discussed San Diego District Attorney Bonnie Dumanis defending the software, even while issuing an "alert" telling parents how to disable the keylogging feature. Even more bizarre was the response of Limestone County, Alabama, Sheriff Mike Blakely, who simply questioned EFF's credibility in revealing the dangerous nature of the software.

Blakely appears to be doubling down on that argument. In an interview with Ars Technica, he again bizarrely claims that the EFF wants to protect pedophiles and predators, and then also endorses spying on kids:

With respect to the EFF he said, “I'm not against their criticism but I just think they're probably more interested in protecting predators and pedophiles than in protecting our children.”

“As sheriff, I went down [to schools] and met with kids and I taught them about bicycle safety and not to talk to strangers,” Blakely said, adding that handing out ComputerCOP was just another branch of the department's efforts to keep kids from being solicited online.

“If you and I were married and had a 14-year-old daughter, then yeah I could check on who you're talking to online and you could check who I'm talking to,” he said. “But if [ComputerCOP is] used properly, it's something we whole-heartedly endorse. Now if you're of the persuasion of the people of the EFF who would rather not do anything, then that's something that I can't help.”

That ignores, of course, that the keylogging sends information unencrypted, thus putting children much more at risk. When Ars did ask him about that, Blakely said that they'd have to talk to his "IT people."

It appears that other police departments and district attorneys are similarly trying to defend the fact that they've been distributing dangerous keylogging software that can pass unencrypted cleartext of any information typed by kids. Some law enforcement folks are not just standing by their decision to hand out the spyware, but are continuing to do so. Contra Costa District Attorney Dan Cabral, astoundingly, admits that he intends to continue distributing the software until after someone's been hurt.

Contra Costa Assistant District Attorney Dan Cabral said Friday that the office has no plans to recall the software it distributed.

"If it turns up later that there's some sort of breach we will do so, but right now we feel it serves its purpose and it assists parents in what its supposed to do," Cabral said Friday.

Steve Moawad, the Senior Deputy District Attorney working for Cabral, ridiculously argues the fact that so many other law enforcement folks got duped is somehow proof that the software must be okay.

"I am aware of several law enforcement agencies that have looked at the product before and after this report," Moawad said. "I believe the EFF is overstating the risk and, the fact that this program has been handed out by hundreds of law enforcement agencies over a period of 10 years and there's been no reported incidents of identity theft as a result of the use of the software is indicative of that (fact)."

There are many, many problems with this. Just because a specific breach can't be traced back directly to this software doesn't mean breaches haven't happened (and happened regularly). Based on how the software itself works (sending cleartext over the internet), there's really not going to be any indication that when a breach happens it's because of the software. Parents and kids just won't know how the leak of information happened.

Meanwhile, over in Loudon County, Virginia, the Sheriff's Office not only stood by the use of the software but announced plans to hand out more copies next year:

In a statement issued by the Loudoun County Sheriff's Office today, the agency said “ComputerCOP is very similar to other parental monitoring systems available on the market. The program does not operate without the CD inserted in the computer disk drive and does not allow access from any outside parties, including the Loudoun County Sheriff’s Office or ComputerCOP. The disks are not distributed without explanation from Loudoun County Sheriff’s Office personnel during our Internet Safety: What Parents Need to Know presentations. Parents are made aware at these presentations of the programs limitations and how it is intended to be used. Parents with questions about ComputerCOP are encouraged to attend one of our upcoming Internet Safety courses that will begin in early 2015 at area schools.”

First of all, the claim is misleading to the point of being disingenuous. While the software, by itself, does not "allow access from any outside parties," by sending cleartext copies of keylogging output over the internet, it's revealing that content to many, many potential outside parties. It appears the Loudon County Sheriff's office doesn't even understand the problem -- and yet they claim that they've properly explained the software to parents? That seems difficult to believe.

I'd be curious if the presentation includes an explanation of keylogging, encryption and the dangers of sending cleartext over the internet. Again, it seems doubtful. Hopefully, some parents in Loudon County who do understand this will head on over to the next set of Internet Safety classes, not to be educated, but to educate the police there.

Next up, there are the folks at the Maricopa County, Arizona, Attorney's Office. They, too, are not at all happy with the EFF, while remaining pleased as punch with ComputerCOP's software, despite it putting kids in danger. In an email to CNET's Seth Rosenblatt, the Maricopa County Attorney's Office says it's "ridiculous" to call the software spyware, and also (huh?) claims that EFF is only doing this because it offers "a competing product." Wait, what?

In short, this is a story ﬁlled with inaccurate information and numerous misrepresentations from an organization
that just so happens to be oﬀering a competing product. That fact alone warrants skepticism about its
conclusions. Unfortunately however, several news outlets (and I am not including CNET here) have accepted and
regurgitated the EFF report without making any eﬀort to verify the information it contains or talk to someone
who’s actually used the product, let alone checked it out ﬁrst hand.

To call ComputerCOP "spyware" is ridiculous. This product is fundamentally no diﬀerent than the parental
controls that are available on countless digital devices and so ware used by kids today. In fact, most parents
believe they have the right and responsibility to know what their children are doing online, and this product is a
simple tool that allows them to do that.

First off, I had no idea that EFF offered its own spyware product. Second, whether or not the product is "fundamentally no different" kind of misses the point. If all such software have serious security problems, that should be an issue.

Unlike what most experts would term "spyware," ComputerCOP does not surreptitiously send information to third parties. The hysterical claim that ComputerCOP sends notifications emails without encryption... is utterly fatuous and disingenuous. The software uses a user's existing e-mail service to send notifications. A ComputerCOP notification has no greater potential for being compromised than any other e-mail a user sends.

That suggests a level of technical ignorance that is, well, kinda scary. The fact that ComputerCOP sends keylogger info without encryption is entirely accurate. It is neither fatuous nor disingenuous. In response to this bizarre claim from Maricopa County, the EFF's Dave Maass (who wrote the original report) asked Maricopa to hire an independent security team to evaluate the software. Also, despite its claims, Maass notes that over the weekend, Maricopa County appears to have removed their own website promoting ComptuerCOP. Perhaps the Maricopa County's Attorneys Office isn't quite as confident in the software as they claimed.

Meanwhile, one of the security researchers who the EFF used in its original report, Jeremy Gillula, went a step further. On Twitter, he issued a challenge to anyone defending ComputerCOP:

Challenge to all defending ComputerCOP as secure: you install it, connect to open wifi and login to your bank while I run wireshark. Any money I transfer out using your username and password from the packet logs gets donated to EFF. If I can't get any money, I retract all statements about ComputerCOP's keylogger being insecure. Sound like a deal?

One of these products is handed out by law enforcement agencies. One just had its creator arrested after an FBI investigation.

Product A is ComputerCOP, a deeply-flawed set of tools that allows parents to spy on their children's computer activities, provided they don't mind getting hundreds of false positives returned during searches or having passwords stored as plaintext by the built-in keylogger.

Product B is StealthGenie, a piece of software aimed at giving the inherently suspicious (or routinely cuckolded) person surreptitious access to everything on their significant other's phone. The full set of features included are astounding, including location info, email access, eavesdropping via the built-in mic and the perverse ability to lock or wipe someone else's phone.

It's not that the FBI was wrong to shut down the sale of this software, even if it does sound like the sort of thing the agency wishes it could deploy rather than terminate. It's that the law enforcement-approved tool set overlaps so heavily with something aimed at tearing the digital roof off someone else's life.

ComputerCOP -- unlike the more (necessarily) targeted StealthGenie -- doesn't ultimately care who's using the device it's installed on. You may just want to track your kids' internet activity, but anyone who uses it while it's activated will have their web history -- along with any keystrokes entered -- automatically logged. If anything, ComputerCOP is a cheap, legal alternative to StealthGenie, even if it's strictly limited to personal computers.

But one of these is being handed out by law enforcement agencies without any oversight (and with loads of misinformation). The other was the subject of a federal investigation. There's a certain amount of disconnection here, similar to law enforcement's use of encryption to protect themselves from criminals but wanting to deny the public the same option.

"Selling spyware is not just reprehensible, it's a crime," said Assistant U.S. Attorney General Leslie R. Caldwell. "Apps like StealthGenie are expressly designed for use by stalkers and domestic abusers who want to know every detail of a victim's personal life -- all without the victim's knowledge."

“StealthGenie has little use beyond invading a victim’s privacy” said U.S. Attorney Boente. “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners.”

“This application allegedly equips potential stalkers and criminals with a means to invade an individual’s confidential communications,” said FBI Assistant Director in Charge McCabe. “They do this not by breaking into their homes or offices, but by physically installing spyware on unwitting victims’ phones and illegally tracking an individual’s every move. As technology continues to evolve, the FBI will investigate and bring to justice those who use illegal means to monitor and track individuals without their knowledge.”

Spyware is spyware, whether it's sporting a uniform and a badge or an orange jumpsuit and handcuffs.

Permalink | Comments | Email This Story
]]>it's-like-they-don't-even-hear-the-words-coming-out-of-their-mouthshttps://www.techdirt.com/comment_rss.php?sid=20141003/04310128710Thu, 2 Oct 2014 08:12:01 PDTSan Diego District Attorney Issues Warning About Dangerous Spyware She Purchased & Distributed; But Still Stands By ItMike Masnickhttps://www.techdirt.com/articles/20141001/18412028695/san-diego-district-attorney-issues-warning-about-dangerous-spyware-she-purchased-distributed-still-stands-it.shtml
https://www.techdirt.com/articles/20141001/18412028695/san-diego-district-attorney-issues-warning-about-dangerous-spyware-she-purchased-distributed-still-stands-it.shtmlinvestigation into Computer Cop, the dangerous spyware/keylogger that is sold to police departments and other law enforcement folks as a "perfect election and fundraising tool" because the software gets branded with local law enforcement/politicians and they get to hand it out as a tool to "protect your children" by spying on how they use their computers. The software appears to be a very crappy search system and keylogger. Any keylogger is already a dangerous tool, but this one is especially dangerous in that it transmits the log of keystrokes entirely unencrypted to a server, meaning that all sorts of information, including passwords, credit cards, etc. are transmitted across the internet in the clear. The Computer Cop website looks like it was designed a decade ago and then left to rot (as does its software):

The site is so bad that the company's own address in the footer of the website spells the city wrong. The company is based in Bohemia, NY, yet the site's own website spells it Bhomeia. Yes, that's more than one letter out of place:

All of this should give you a sense of what's going on here. Rather than actually "protecting children," this is a cynical money-grab by a guy who is convincing politicians to use government money to make children less safe while pretending to "protect the children."

Given the powerful expose by the EFF, you'd think that some of the folks who bought into the bogus software and distributed this dangerous spyware to unsuspecting parents might be regretting their decision. Instead, they're... still playing politics. The San Diego District Attorney, Bonnie Dumanis, didn't apologize. She did release an alert warning about the very software she purchased and promoted and distributed to parents, but then still says the software is generally good and will continue to distribute it.

In a statement, Dumanis spokesman Steve Walker said the program was still a useful tool for parents.

“Our online security experts at the Computer and Technology Crime High-Tech Response Team continue to believe the benefits of this software in protecting children from predators and bullies online and providing parents with an effective oversight tool outweigh the limited security concerns about the product, which can be fixed,” Walker said.

Walker said that the District Attorney’s Office still has a few copies of the program left and will give them to families who request it.

There don't appear to be any actual redeeming qualities to the software. It doesn't protect anyone, but rather makes them less safe while giving parents a false sense of security. San Diego (and elsewhere) deserve much better, but apparently they're not going to get it.

The "warning" that was sent out just suggests disabling the keylogger part -- and doesn't appear to take any responsibility for purchasing and promoting the software in the past. As for how much money was spent? Apparently San Diego spent $25,000 on the software:

Dumanis spent $25,000 from asset forfeiture funds — money and property seized during drug and other prosecutions — on 5,000 copies of the program for public dissemination.

Ah, so rather than being directly taxpayer money, it's just money stolen via questionable forfeiture procedures. It's hard to see how that's any better.

Permalink | Comments | Email This Story
]]>not-the-right-responsehttps://www.techdirt.com/comment_rss.php?sid=20141001/18412028695Wed, 1 Oct 2014 13:31:00 PDTComputerCOP: Keylogging Spyware, Distributed By Police And Federal Agents With Your Tax DollarsMike Masnickhttps://www.techdirt.com/articles/20141001/11474028693/computercop-keylogging-spyware-distributed-police-federal-agents-with-your-tax-dollars.shtml
https://www.techdirt.com/articles/20141001/11474028693/computercop-keylogging-spyware-distributed-police-federal-agents-with-your-tax-dollars.shtmlvarious law enforcement agencies -- generally local police, but also the US Marshals -- claiming to be software to "protect your children" on the computer. What the EFF investigation actually found is that the software is little more than spyware with weak to non-existent security that likely makes kids and your computer a lot less safe. Aren't you glad your tax dollars are being spent on it?

The way ComputerCOP works is neither safe nor secure. It isn’t particularly effective either, except for generating positive PR for the law enforcement agencies distributing it. As security software goes, we observed a product with a keystroke-capturing function, also called a “keylogger,” that could place a family’s personal information at extreme risk by transmitting what a user types over the Internet to third-party servers without encryption. That means many versions of ComputerCOP leave children (and their parents, guests, friends, and anyone using the affected computer) exposed to the same predators, identity thieves, and bullies that police claim the software protects against.

Furthermore, by providing a free keylogging program—especially one that operates without even the most basic security safeguards—law enforcement agencies are passing around what amounts to a spying tool that could easily be abused by people who want to snoop on spouses, roommates, or co-workers.

The software is ancient -- dating back about 15 years -- and it doesn't look like it's improved much over the years. Even the interface looks outdated. And it doesn't appear much actual thought has been put into the product and whether or not it does anything to actually keep people safe. Instead, from all appearances, it sounds like the organization behind it is just looking to figure out ways to get taxpayer money from law enforcement, promising "cybersecurity" when it's actually making things worse. The more innocuous, but still pointless part of the tool is the "search" feature:

The tool allows the user to review recent images and videos downloaded to the computer, but it will also scan the hard drive looking for documents containing phrases in ComputerCOP’s dictionary of thousand of keywords related to drugs, sex, gangs, and hate groups. While that feature may sound impressive, in practice the software is unreliable. On some computer systems, it produces a giant haystack of false positives, including flagging items as innocuous as raw computer code. On other systems, it will only produce a handful of results while typing keywords such as "drugs" into Finder or File Explorer will turn up a far larger number of hits. While the marketing materials claim that this software will allow you to view what web pages your child visits, that's only true if the child is using Internet Explorer or Safari. The image search will potentially turn up tens of thousands of hits because it can't distinguish between images children have downloaded and the huge collection of icons and images that are typically part of the software on your computer.

Sophisticated software, this is not.

Then there's the keylogger/spyware bit.

ComputerCOP’s KeyAlert keylogging program does require installation and, if the user isn’t careful, it will collect keystrokes from all users of the computer, not just children. When running on a Windows machine, the software stores full key logs unencrypted on the user’s hard drive. When running on a Mac, the software encrypts these key logs on the user's hard drive, but these can be decrypted with the underlying software's default password. On both Windows and Mac computers, parents can also set ComputerCOP up to email them whenever chosen keywords are typed. When that happens, the software transmits the key logs, unencrypted, to a third-party server, which then sends the email. KeyAlert is in included in the "deluxe," "premium," and "presentation" versions of the software.

The lack of encryption is somewhat astounding in this day and age:

Security experts universally agree that a user should never store passwords and banking details or other sensitive details unprotected on one’s hard drive, but that’s exactly what ComputerCOP does by placing everything someone types in a folder. The email alert system further weakens protections by logging into a third-party commercial server. When a child with ComputerCOP installed on their laptop connects to public Wi-Fi, any sexual predator, identity thief, or bully with freely available packet-sniffing software can grab those key logs right out of the air.

Incredibly, when EFF approached the maker of ComputerCOP, the guy behind it, Stephen DelGiorno tried to deny any problems:

“ComputerCOP software doesn’t give sexual predator [sic] or identity thieves more access to children’s computers, as our .key logger [sic] works with the existing email and Internet access services that computer user has already engaged,” he wrote via email.

He further said that ComputerCOP would update the software's licensing agreement to say "that no personal information is obtained nor stored by ComputerCOP."

As the EFF notes, this is both unacceptable and "fairly nonsensical." EFF tested the software and found, of course, that it's quite easy to snatch passwords via the software.

The company appears to have some other difficulties with the truth as well:

In February, DelGiorno told EFF the keystroke-logging feature was a recent addition to the software and that most of the units he’s sold did not include the feature. That doesn’t seem to jibe with ComputerCOP’s online footprint. Archive.org’s WayBack Machine shows that keystroke capture was advertised on ComputerCOP.com as far back as 2001. Although some versions of ComputerCOP do not have the keylogger function, scores of press releases and regional news articles from across the country discuss the software’s ability to capture a child’s conversations.

Also, this:

In investigating ComputerCOP, we also discovered misleading marketing material, including a letter of endorsement purportedly from the U.S. Department of Treasury, which has now issued a fraud alert over the document. ComputerCOP further claims an apparently nonexistent endorsement by the American Civil Liberties Union and an expired endorsement from the National Center for Missing and Exploited Children.

You can see the Treasury Department fraud alert here, in which it states: "A falsified letter from the Treasury Executive Office for Asset Forfeiture is being circulated indicating that the Treasury approves or endorses this product: it does not." It also includes a link to a sample letter, which uses multiple fonts (which is common among faked letters). In fact, EFF got DelGiorno to admit to changing an original letter, saying he "recreated the letterhead to make it more presentable" and highlighted certain text. He claims that there was an original letter from 2001 (the date on the letter getting passed around has the date removed), but the Treasury Department has issued the fraud report and says it's unable to find the original document that ComputerCOP claims was sent.

There are some other dubious issues related to the software and getting police departments to buy it (often with federal grants). Here's one example from the county where I grew up:

As EFF notes, ComputerCOP specifically promotes the tool as an "election and fundraising tool" telling politicians and law enforcement folks that handing it out will make them look good and even sending out camera crews "to record an introduction video with the head of the department."

The whole thing is incredibly sketchy. It's fairly ridiculous that at the same time that law enforcement folks are ridiculously claiming that encryption "harms" children, so many are actively out there spending taxpayer money on, and then distributing, an app that actively puts children (and everyone else) at risk while pretending to be done in the name of safety.

Permalink | Comments | Email This Story
]]>exposehttps://www.techdirt.com/comment_rss.php?sid=20141001/11474028693Thu, 3 Apr 2014 03:27:35 PDTMobile Spyware Use In Domestic Violence Ramps UpTimothy Geignerhttps://www.techdirt.com/blog/wireless/articles/20140331/03591726741/mobile-spyware-use-domestic-violence-ramps-up.shtml
https://www.techdirt.com/blog/wireless/articles/20140331/03591726741/mobile-spyware-use-domestic-violence-ramps-up.shtml
We recently wrote about the emergence of NSA-like spying platforms for mobile devices. Ostensibly designed and marketed for worried mothers and/or employers to monitor their children and/or employees, reports instead indicate a more nefarious use employed by jealous men and women looking to spy on their would-be significant others. In other words, technology somewhat similar to what the NSA employs generally is being used quite specifically by the unhinged, who appear to have taken our spy agencies' example to heart.

MobiStealth, the product that received such rave reviews online, was used by convicted murderer Simon Gittany to read his girlfriend Lisa Harnum's text messages, one of several forms of control and surveillance he subjected her to. The product's website encourages potential buyers to ''get the answers you deserve''. When Gittany learned of Ms Harnum's plan to escape the abusive relationship in July 2011, he threw her off the balcony of their 15th-floor Sydney apartment.

Down Under, at least, it would appear this wasn't an isolated incident.

In a Victorian study last year, 97 per cent of domestic violence workers reported that perpetrators were using mobile technologies to monitor and harass women in domestic situations. Two-thirds of the 46 victims interviewed said they were made to feel like they were being watched or tracked, yet less than half told somebody about it.

While that first number is certainly shocking, I'm actually far more intrigued by the second set of statistics. Less than half of domestic violence victims who felt like they were being tracked on their mobile devices didn't say anything to anyone? This reeks of resignation when what might be needed most is a good dose of recalcitrance. While it may be difficult to directly point the blame for these domestic violence perps at intrusively spying government agencies, I wonder if the same could be said for the victims' reluctance to do anything about being spied on. If we have to accept a world in which our own governments, or foreign governments, are going to spy on us, perhaps it makes us less likely to push back against spying that is of a domestic nature?

I'm not sure, but the way this technology is progressing and the price at which it is offered likely means that stories for this kind of thing are in their infancy stages.

Mobile phone spyware costs as little as $6 a month and needs to be installed physically on a phone once for it to operate without the owner's knowledge. Shane Johnson, a spokesman for Sydney company Spousebusters, said it sold ''hundreds'' of GPS trackers, hidden cameras, listening bugs and spyware programs a year. The company asks no questions of purchasers and takes no responsibility for people using legal products to commit illegal acts.

And the perps can claim all along they're only following the NSA's example? Oh, this should work out well...

Permalink | Comments | Email This Story
]]>following-the-nsa's-examplehttps://www.techdirt.com/comment_rss.php?sid=20140331/03591726741Tue, 31 Dec 2013 05:39:41 PSTDell's Twitter Account Apologizes For The 'Inconvenience' Of Helping NSA Install SpywareMike Masnickhttps://www.techdirt.com/articles/20131230/17174425718/dells-twitter-account-apologizes-inconvenience-helping-nsa-place-hidden-bios-bug.shtml
https://www.techdirt.com/articles/20131230/17174425718/dells-twitter-account-apologizes-inconvenience-helping-nsa-place-hidden-bios-bug.shtmlcompromised your servers at the BIOS level with spy bugs, then, when someone -- especially a respected security guy like Martin Wismeijer -- tweets at you, you don't go with the standard scripted "sorry for the inconvenience" response. But, apparently, that's not how Dell handled things this time (thanks to Mike Mozart for the pointer):

In case you can't read that, Wismeijer complained on Twitter about finding out that his Dell server is bugged by the NSA (which might be an exaggeration...) and included the @DellCares account in his tweet. That account wrote:

Thank you for reaching out and regret the inconvenience. Our colleagues at @dellcarespro will be able to help you out.

Wismeijer responded with an expected level of anger. Not only is "regret the inconvenience" probably the inappropriate response to a customer complaining about the NSA installing malware, but the idea that Dell support "will be able to help you out" is similarly questionable.

Permalink | Comments | Email This Story
]]>time-to-go-off-scripthttps://www.techdirt.com/comment_rss.php?sid=20131230/17174425718Fri, 3 May 2013 18:38:00 PDTMozilla Sends Cease And Desist Letter To Commercial Spyware Company For Using Firefox Trademark And Code To Trick UsersGlyn Moodyhttps://www.techdirt.com/articles/20130503/08510022937/mozilla-sends-cease-desist-letter-to-commercial-spyware-company-using-firefox-trademark-code-to-trick-users.shtml
https://www.techdirt.com/articles/20130503/08510022937/mozilla-sends-cease-desist-letter-to-commercial-spyware-company-using-firefox-trademark-code-to-trick-users.shtml
Techdirt has written several times about the increasing tendency for governments around the world to turn to malware as a way of spying on people, without really thinking through the risks. One company that is starting to crop up more and more in this context is Gamma International, thanks to its FinFisher suite of spyware products, which includes FinSpy. A recent report by Citizenlab, entitled "For Their Eyes Only: The Commercialization of Digital Spying", has explored this field in some depth. Among its findings is the following:

We identify instances where FinSpy makes use of Mozilla's Trademark and Code. The latest Malay-language sample masquerades as Mozilla Firefox in both file properties and in manifest. This behavior is similar to samples discussed in some of our previous reports, including a demo copy of the product, and samples targeting Bahraini activists.

A recent report by Citizen Lab uncovered that commercial spyware produced by Gamma International is designed to trick people into thinking it's Mozilla Firefox. We've sent Gamma a cease and desist letter today demanding that these illegal practices stop immediately.

Choosing Mozilla as the cover for this malware is cynical in the extreme, for reasons Fowler explains:

As an open source project trusted by hundreds of millions of people around the world, defending Mozilla's trademarks from this type of abuse is vital to our brand, our users and the continued success of our mission. Mozilla has a longstanding history of protecting users online and was named the Most Trusted Internet Company for Privacy in 2012 by the Ponemon Institute. We cannot abide a software company using our name to disguise online surveillance tools that can be -- and in several cases actually have been -- used by Gamma's customers to violate citizens' human rights and online privacy.

Permalink | Comments | Email This Story
]]>betraying-trusthttps://www.techdirt.com/comment_rss.php?sid=20130503/08510022937Thu, 7 Feb 2013 09:42:36 PSTCanadian Chamber Of Commerce Wants To Legalize Spyware Rootkits To Help Stop 'Illegal' ActivityMike Masnickhttps://www.techdirt.com/articles/20130207/03465521908/canadian-chamber-commerce-wants-to-legalize-spyware-rootkits-to-help-stop-illegal-activity.shtml
https://www.techdirt.com/articles/20130207/03465521908/canadian-chamber-commerce-wants-to-legalize-spyware-rootkits-to-help-stop-illegal-activity.shtmlallowing rootkit spyware to be installed surreptitiously for the purpose of stopping illegal activity. As Geist notes, the last time this battle was fought, it was fresh on the heels of the Sony rootkit debacle, so there wasn't much support for these concepts. But, with a few years distance, the industry groups are trying again. Specifically they either want to remove language that prevents the surreptitious installation of spyware -- or they want specific exemptions. For example, in the case of the following, they argue spyware should be allowed:

a program that is installed by or on behalf of a person to prevent, detect, investigate, or terminate activities that the person reasonably believes (i) present a risk or threatens the security, privacy, or unauthorized or fraudulent use, of a computer system, telecommunications facility, or network, or (ii) involves the contravention of any law of Canada, of a province or municipality of Canada or of a foreign state;

Basically, as long as you claim that you're going after someone for breaking the law, surreptitious installs are allowed. Geist points out the obvious: copyright holders will salivate over this.

This provision would effectively legalize spyware in Canada on behalf of these industry groups. The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. This exception could potentially cover programs designed to block access to certain websites (preventing the contravention of a law as would have been the case with SOPA), attempts to access wireless networks without authorization, or even keylogger programs tracking unsuspecting users (detection and investigation). Ensuring compliance with the law is important, but envisioning private enforcement through spyware without the involvement of courts, lawful authorities, and due process should be a non-starter.

If this works in Canada, expect to see similar provisions start popping up elsewhere around the world in short order.

Permalink | Comments | Email This Story
]]>this-is-a-bad-ideahttps://www.techdirt.com/comment_rss.php?sid=20130207/03465521908Thu, 17 Jan 2013 20:17:22 PSTAustralia's Spies Want To Put Members Of The Public At Risk By Using Them To Pass On Malware to Suspected TerroristsGlyn Moodyhttps://www.techdirt.com/articles/20130116/09390921703/australias-spies-want-to-put-members-public-risk-using-them-to-pass-malware-to-suspected-terrorists.shtml
https://www.techdirt.com/articles/20130116/09390921703/australias-spies-want-to-put-members-public-risk-using-them-to-pass-malware-to-suspected-terrorists.shtmlLast year we wrote about the German police using malware to spy on members of the public. Now ASIO, Australia's national secret service, has come up with a new variant on the idea:

A spokesman for the Attorney-General's Department said it was proposing that ASIO be authorised to ''use a third party computer for the specific purpose of gaining access to a target computer''.

The problem seems to be that even suspected terrorists are getting the hang of this security stuff:

The department said technological advances had made it ''increasingly difficult'' for ASIO to execute search warrants directly on target computers, ''particularly where a person of interest is security conscious.''

So the idea seems to be to infect the computer of someone that the alleged terrorists know, and then use that trusted link to pass on malware:

Australians' personal computers might be used to send a malicious email with a virus attached, or to load ''malware'' onto a website frequently visited by the target.

That probably seemed like a really clever ruse to the people who thought it up, but it overlooks some basic flaws.

First, that once ASIO has taken control of an intermediary's computer it can do anything -- including poking around to see what's there. After all, if intermediaries are known to suspected terrorists, it's possible that they too might be terrorists.

The authorities are insisting that the warrant to break into somebody's computer would not authorize ASIO to obtain "intelligence material" from it. But you don't have to be clairvoyant to predict that at some point in the future, "exceptional" circumstances will be invoked to justify doing precisely that: once security services start down a slippery stop, they never seem to be able to stop.

Secondly, as the German experience shows, if a computer has been compromised by malware in this way, it's not just the government agencies that can take control: anyone who has obtained the malware and analyzed it will be able to look for ways to send their own instructions. That could leave innocent members of the public vulnerable to privacy breaches and economic losses that would be directly attributable to the spy agency's digital break-in.

Finally, this approach seems to overlook the fact that presumed terrorists are unlikely to be best pleased with any person that unwittingly sends them government malware. If they notice and really are ruthless terrorists, they might decide to take revenge on that person and his or her immediate circle of family and friends. Either the Australian spy agency hasn't really thought this through, or it is being extremely cavalier with the lives of the members of the public it is supposed to protect.

Permalink | Comments | Email This Story
]]>not-thinking-it-throughhttps://www.techdirt.com/comment_rss.php?sid=20130116/09390921703Thu, 18 Oct 2012 10:29:48 PDTDutch Propose Powers For Police To Break Into Computers, Install Spyware And Destroy Data -- Anywhere In The WorldGlyn Moodyhttps://www.techdirt.com/articles/20121018/04092220748/dutch-propose-powers-police-to-break-into-computers-install-spyware-destroy-data-anywhere-world.shtml
https://www.techdirt.com/articles/20121018/04092220748/dutch-propose-powers-police-to-break-into-computers-install-spyware-destroy-data-anywhere-world.shtmlTechdirt readers with long memories may recall a fantasy proposal from Orrin Hatch that would have seen technological means deployed to destroy the computers of those who downloaded unauthorized copies of files. Of course, the idea was so ridiculous it went nowhere. Now, nine years later, a similar idea has turned up, but with a rather better chance of being implemented, since it comes from a national government:

On 15 October, the Dutch ministry of Justice and Security proposed powers for the police to break into computers, install spyware, search computers and destroy data. These powers would extend to computers located outside the Netherlands.

If the Dutch government gets the power to break into foreign computers, this gives other governments the basis to break into Dutch computers which infringe the laws of their country. The end result could be less security for all computer users, instead of more. This is even more true with regard to the power to destroy data on foreign computers; it is likely that other governments would be very interested in using such a power against Dutch interests.

Even totally law-abiding users might be caught up in this digital war:

Furthermore, providing the government the power to break into computers provides a perverse incentive to keep information security weak. Millions of computers could remain badly secured because the government does not have an incentive to publish vulnerabilities quickly because it needs to exploit these vulnerabilities for enforcement purposes.

It's not really down to governments to publish details of flaws, but it's possible they might be less inclined to encourage the public to patch them, if they want to use the vulnerabilities themselves. This would doubtless lead to criminals taking advantage of widespread holes in security, with personal data being stolen, and financial systems compromised.

All-in-all, the Dutch proposal has to be one of the most foolish ever presented by a government in this area, and shows the folly of trying to come up with quick fixes for the currently-fashionable issue of "cybercrime", instead of really thinking through the consequences. Let's hope calmer heads prevail, and the proposal is withdrawn.

Permalink | Comments | Email This Story
]]>mutually-assured-destructionhttps://www.techdirt.com/comment_rss.php?sid=20121018/04092220748Thu, 12 May 2011 22:08:00 PDTSome Feds Wanted To Find A Loophole To Avoid Warrants When Using FBI's Homemade SpywareMike Masnickhttps://www.techdirt.com/articles/20110509/01390214204/some-feds-wanted-to-find-loophole-to-avoid-warrants-when-using-fbis-homemade-spyware.shtml
https://www.techdirt.com/articles/20110509/01390214204/some-feds-wanted-to-find-loophole-to-avoid-warrants-when-using-fbis-homemade-spyware.shtmlspyware, called the "computer and internet protocol address verifier," or CIPAV, for tracking down certain computer users. However, some new Freedom of Information Act-released documents provide some more details, including that other government agencies have requested to use the tool, and that there's been some serious disagreement among the feds about how it can and should be used legally (and if it's always used in legal ways).

[EFF] officials have raised concerns about documents showing that FBI agents at times employed inconsistent methods for gaining authorization to install the tracer. Their email messages talk about using a "trespasser exception" to avoid obtaining a warrant. One message recommends citing the "All Writs Act, 28 U.S.C. § 1651(a)." The group noted that one September 2007 message indicates some agents felt spyware searches do not require any legal process.

"There seems like there was a lot of back-and-forth," Lynch said.

The 2007 email stated, "I still think that use of [redacted] is consensual monitoring without need for process; In my mind, no different than sitting in a chat room and tracking participants; on/off times or for that matter sitting on P2P networks and find out who is offering KP" -- in a likely reference to law enforcement's practice of searching through file-sharing networks for sex offenders exchanging child pornography.

The thing is, it seems like this kind of thing would likely easily get a warrant approval in most cases where it was really necessary. Why is it that our federal government so often seems to hate having to go through such basic oversight efforts? After all, the news just came out that the FISA court approved all 1,506 requests from the government to electronically monitor suspects. It's not as if FISA is a difficult process to go through...

Permalink | Comments | Email This Story
]]>slippery-slopehttps://www.techdirt.com/comment_rss.php?sid=20110509/01390214204Wed, 17 Feb 2010 15:41:08 PSTAn Olympian Spammer Discovers That Reputation Is A Scarce Good You Don't Want To DestroyMike Masnickhttps://www.techdirt.com/articles/20100217/1229408200.shtml
https://www.techdirt.com/articles/20100217/1229408200.shtmlbecome lately, I have to admit to not paying attention to any of it so far. I heard the news of the luger's death, and that's been about it. So perhaps more people already knew about this, but apparently one of the mogul skiers has a bit of a reputation as a spam/spyware purveyor. It sounds like the guy is now out of that business, but what's fascinating is how his reputation has been tarnished over all of this, despite winning Olympic medals. The Canadians wouldn't let him on the team this time around years back, due to their dislike of his activities, so he switched his citizenship to Australia, and basically, it sounds like everyone hates him:

After Begg-Smith's second place finish in Vancouver this week, one Australian news organization published an article calling him--in the headline, no less--a "sourpuss." Another, the Sydney Morning Herald, labeled the Olympic athlete as "Mr. Miserable" and speculated that he was "simply flying a flag of convenience" with no real ties to Oz.

Canadians were more direct. Facebook groups such as "Dale Begg-Smith is a sourpuss" and another calling him a "traitor" have popped up. Twitter messages after the mogul race have included "traitor," "fake Canadian and all-around jerk," plus other phrases entirely unsuitable for a family publication.

Obviously, some of that hatred is due to him switching citizenship, but the article explains why his spamming/spyware activities are a large part of it as well (and may have resulted in the citizenship switch). I find this interesting not just because of the Olympic angle, but because of the reputation angle.

Reputation is a rather valuable "scarce good," and destroying your reputation through shady activities can come back to bite you for a long, long time, even if you do plenty of other amazing things. Just ask Metallica.